b' DEPARTMENT OF HOMELAND SECURITY\n\n Of\xef\xac\x81ce of Inspector General\n\n\n\n    IMPROVEMENTS NEEDED TO DHS\xe2\x80\x99\n      INFORMATION TECHNOLOGY\n       MANAGEMENT STRUCTURE\n\n\n\n\n Of\xef\xac\x81ce of Information Technology\nOIG-04-30               July 2004\n\x0c\x0c                                                                      Of\xef\xac\x81ce of Inspector General\n\n                                                                      U.S. Department of Homeland Security\n                                                                      Washington, DC 20528\n\n\n\n\n                                              Preface\n\nThe Department of Homeland Security (DHS) Of\xef\xac\x81ce of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, investigative, and special reports\nprepared by the OIG as part of its DHS oversight responsibility to identify and prevent fraud,\nwaste, abuse, and mismanagement.\n\nThis report assesses the strengths and weaknesses of the program or operation under review. It\nis based on interviews with employees and of\xef\xac\x81cials of relevant agencies and institutions, direct\nobservations, and a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to the OIG,\nand have been discussed in draft with those responsible for implementation. It is my hope that\nthis report will result in more effective, ef\xef\xac\x81cient, and economical operations. I express my\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                              Clark Kent Ervin\n                                              Inspector General\n\x0c\x0c                                                                                                                          Contents\n\n  Introduction ..................................................................................................................................... 3\n\n  Results in Brief .............................................................................................................................. 3\n\n  Background .................................................................................................................................... 4\n\n  Findings\xe2\x80\xa6 ...................................................................................................................................... 5\n\n          CIO Faces Major IT Management Challenges ..................................................................... 5\n\n          CIO Organizational Structure is Not Optimal ...................................................................... 7\n\n          CIO Does Not Manage IT Department-wide ...................................................................... 13\n\n          Opportunities Exist for CIO Management Structure Improvements .................................. 20\n\n  Recommendations\xe2\x80\xa6 .................................................................................................................... 27\n\n  Management Comments and OIG Evaluation\xe2\x80\xa6 ......................................................................... 28\n\nAppendices\n\n  Appendix A:             Purpose, Scope, and Methodology ..................................................................... 31\n  Appendix B:             Management Comments ..................................................................................... 33\n  Appendix C:             Major Contributors to This Report .......................................................................36\n  Appendix D:             Report Distribution ............................................................................................. 37\n\nAbbreviations\n\n  ACE                   Automated Commercial Environment\n  CIO                   Chief Information Of\xef\xac\x81cer\n  DHS                   Department of Homeland Security\n  EAB                   Enterprise Architecture Board\n  eMerge2               Electronically Managing Enterprise Resources for Government Effectiveness &\n                        Ef\xef\xac\x81ciency\n  Energy                Department of Energy\n  FDIC                  Federal Deposit Insurance Corporation\n\n\n\n                Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure                                                           Page 1\n\x0cContents\n\n   FISMA      Federal Information Security Management Act\n   IRB        Investment Review Board\n   IRP        investment review process\n   IT         information technology\n   OIG        Of\xef\xac\x81ce of Inspector General\n   US-VISIT   U.S. Visitor and Immigrant Status Immigrant Status Indicator Technology\n   VA         Veterans Administration\n\n\nFigures\n\n   Figure 1   DHS Organization Structure ....................................................................................9\n\n   Figure 2   Overview of DHS\xe2\x80\x99 Investment Review Process ....................................................15\n\n\n\n\nTables\n\n   Table 1    Comparison of DHS and Leading CIO Organizations ..........................................21\n\n\n\n\nPage 2                    Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0cOIG\nDepartment of Homeland Security\nOf\xef\xac\x81ce of Inspector General\n\n\n    Introduction\n                                  In today\xe2\x80\x99s environment, the effective management of information technology (IT)\n                                  is not only critical to federal agency success, it is required by law. The Clinger-\n                                  Cohen Act of 1996,1 one in a series of key IT laws and executive guidance,\n                                  requires that federal departments and agencies establish chief information of\xef\xac\x81cers\n                                  (CIOs) to institute, guide, and oversee frameworks for managing IT systems and\n                                  initiatives as strategic investments. Newly established in March 2003, DHS faces\n                                  the combined challenge of positioning a CIO to comply with federal IT guidelines\n                                  and bring the department together technologically to accomplish mission\n                                  objectives and meet performance goals.\n\n    Results in Brief\n                                  The DHS CIO has a signi\xef\xac\x81cant role to play in guiding IT resources and\n                                  capabilities to ful\xef\xac\x81ll the department\xe2\x80\x99s diverse missions. The enormous task of\n                                  creating one network and one infrastructure to ensure IT connectivity among the\n                                  department\xe2\x80\x99s 22 legacy organizations is daunting. In this context, some of the\n                                  CIO\xe2\x80\x99s challenges are to implement an enterprise architecture; standardize and\n                                  integrate the department\xe2\x80\x99s many duplicative systems and tools; and institute a\n                                  program to address the risks and vulnerabilities facing DHS\xe2\x80\x99 IT systems.\n\n                                  Despite these key responsibilities, the CIO is not a member of the senior\n                                  management team with authority to strategically manage department-wide\n                                  technology assets and programs. There is no formal reporting relationship\n                                  between the DHS CIO and the CIOs of major component organizations, which\n                                  hinders department-wide support for his central IT direction. Further, the CIO\n                                  has limited staff resources to assist in carrying out the planning, policy formation,\n                                  and other IT management activities needed to support departmental units. These\n                                  de\xef\xac\x81ciencies in the IT organizational structure are exempli\xef\xac\x81ed by the CIO\xe2\x80\x99s lack\n                                  of oversight and control of all DHS\xe2\x80\x99 IT investment decision-making. Instead,\n\n\n\n    1\n        Also known as the Information Technology Management Reform Act, Div E, P.L 104-106\n\n\n\n                      Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure                    Page 3\n\x0c                            there is a reliance on cooperation and coordination within DHS\xe2\x80\x99 CIO Council2 to\n                            accomplish department-wide IT integration and consolidation objectives.\n\n                            The Department of Homeland Security would bene\xef\xac\x81t from following the\n                            successful examples of other federal agencies in positioning their CIOs to meet\n                            federal guidelines. Speci\xef\xac\x81cally, repositioning the CIO to report to the Of\xef\xac\x81ce\n                            of the Deputy Secretary would provide this of\xef\xac\x81cial the authority and in\xef\xac\x82uence\n                            needed to guide executive decisions concerning department-wide IT investments\n                            and strategies. Having component-level CIOs report to both the DHS CIO and\n                            their respective agency heads would help ensure commitment to consolidating the\n                            IT infrastructure while also meeting business needs. Further, with adequate IT\n                            of\xef\xac\x81ce support and control of all DHS IT investment decision-making processes,\n                            the CIO can better ensure successful accomplishment of IT objectives, programs,\n                            and initiatives.\n\nBackground\n                            DHS relies on a variety of IT systems and technologies to support its wide-\n                            ranging missions, including counter terrorism, border security, and infrastructure\n                            protection. Advanced technologies and IT services are fundamental to support\n                            internal operations and to ensure the systems integration and information sharing\n                            needed to help protect the homeland in the wake of the September 11, 2001,\n                            attacks. DHS\xe2\x80\x99 IT budget in FY 2004 was about $4 billion\xe2\x88\x92the third largest\n                            IT investment budget in the federal government\xe2\x88\x92including operations and\n                            maintenance costs. Effective and strategic management is the key to maximizing\n                            the potential of these technology investments.\n\n                            Taken together, a series of laws and related guidance provide a management\n                            framework for the new department to follow as it evolves and applies IT to\n                            meet its mission needs. The Paperwork Reduction Act of 1995,3 designates\n                            senior information resources management positions in major departments\n                            and agencies with responsibility for applying technology to help reduce the\n                            government\xe2\x80\x99s information collection burden. The Clinger-Cohen Act of 1996\n                            renames and elevates the former senior information resources manager positions\n                            to executive-level CIOs, who report directly to their agency heads and have IT\n\n2\n  The DHS CIO Council is comprised of the CIOs from each DHS component, ex of\xef\xac\x81cio representatives from General Counsel, the Chief\nFinancial Of\xef\xac\x81cer\xe2\x80\x99s Council, the Of\xef\xac\x81ce of the CIO, and the Executive Procurement Executive Council. The CIO Council was chartered to\ndevelop, promulgate, implement, and manage a vision and direction for information resources and telecommunications management within\nDHS.\n3\n  Public Law 104-13.\n\n\n\nPage 4                             Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0c                                as a primary responsibility. Further, Of\xef\xac\x81ce of Management and Budget Circular\n                                A-130\xe2\x88\x92Appendix III\xe2\x88\x92implements the Clinger-Cohen Act by establishing speci\xef\xac\x81c\n                                policies and procedures for effective IT management. Additionally, the strategies\n                                and practices of successful federal agencies provide useful examples and lessons\n                                learned that DHS may consider and apply in structuring itself to manage IT\n                                effectively.\n\n       FINDINGS\n\n       CIO Faces Major IT Management Challenges\n                                The responsibilities of the DHS CIO, as set forth in the Homeland Security Act\n                                of 2002,4 cover a variety of functions, including IT planning; budgeting and\n                                \xef\xac\x81nancial management; infrastructure management; systems development; IT\n                                human capital; and, support services such as the IT customer help desk. A deputy\n                                CIO helps provide enterprise-wide IT support in carrying out these functions.\n                                The deputy CIO is responsible for directing information management support\n                                processes, and combining IT and telecommunications to provide coordinated\n                                capabilities to meet DHS\xe2\x80\x99 information needs. The deputy CIO also is responsible\n                                for research, development, acquisition, and testing of new technologies to support\n                                DHS mission needs. In addition, the CIO has six acting directors who report to\n                                him in the following functional areas: applied technology, information security,\n                                infrastructure, information and application delivery, planning and enterprise\n                                architecture, and business support.\n\n                                These of\xef\xac\x81cials, along with the CIO, face the highly complex challenge of\n                                managing IT in what constitutes the largest federal department reorganization\n                                in 50 years. Since the department\xe2\x80\x99s inception, the CIO has undertaken several\n                                initiatives to provide some degree of connectivity among the department\xe2\x80\x99s 22\n                                legacy agencies, including linking e-mail systems and providing access to a\n                                shared online intranet portal. However, the larger tasks of identifying department-\n                                wide IT assets and creating a consolidated and secure IT infrastructure have yet to\n                                be accomplished. All are expected to achieve signi\xef\xac\x81cant IT ef\xef\xac\x81ciencies and cost\n                                savings.\n\n                                Creating a single infrastructure for effective communications and information\n                                from the disparate networks of its transferred agencies is the most important\n                                task facing DHS. To support this effort, the CIO has established an Enterprise\n\n4\n    Title VII, P.L. 107-296, as amended by P.L. 108-107.\n\n\n                   Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure                  Page 5\n\x0c                               Infrastructure Board that meets periodically to discuss strategies for connecting\n                               these local, metropolitan, and wide area networks. The Enterprise Infrastructure\n                               Board is comprised of project teams such as the Network Security Board, which is\n                               tasked with implementing an initiative to institute the \xef\xac\x81rewalls, routers, switches,\n                               and other technologies needed to secure DHS networks. For example, DHS is\n                               enhancing the Immigration and Customs Enforcement\xe2\x80\x99s telecommunications\n                               \xe2\x80\x9cbackbone\xe2\x80\x9d to create the department-wide network, which will establish data\n                               communications with common policies and technical standards among all of its\n                               organizational elements.\n\n                               Further, the CIO has a key role to play in working with line managers to design\n                               and manage an enterprise architecture to guide management of information and\n                               technology in the department to help accomplish its many diverse missions. The\n                               CIO released the \xef\xac\x81rst version of the DHS enterprise architecture in September\n                               2003, and is now working to align its transition strategy with several large\n                               projects in the department such as the Automated Commercial Environment\n                               (ACE) and the U.S. Visitor and Immigrant Status Indicator Technology (US-\n                               VISIT). Work is currently underway to complete a second version of the\n                               enterprise architecture and make the transition strategy more detailed and easier to\n                               implement.\n\n                               Another challenge to the CIO is to consolidate the disparate networks, data\n                               centers, and systems of the legacy agencies. For example, over 100 redundant and\n                               nonintegrated systems are used to support a variety of administrative activities\n                               such as accounting, acquisition, budgeting, and procurement. Because of the\n                               lack of standardization and interoperability in the current environment, many of\n                               these activities are tedious and burdensome. To integrate these systems, DHS has\n                               established the \xe2\x80\x9ceMerge2\xe2\x80\x9d program,5 scheduled for implementation by September\n                               2006. Further, DHS has responsibility for implementing at least 8 of the top 25 IT\n                               projects of civilian federal agencies. Along with eMerge2, these projects include\n                               ACE, US-VISIT, the Integrated Wireless Network, and the Rescue 21 maritime\n                               communications system. The CIO has a major role to play in helping ensure\n                               that these systems are acquired and implemented to meet expectations of the\n                               component sponsors.\n\n                               Additionally, to meet requirements of the Federal Information Security\n                               Management Act (FISMA), the CIO is charged with implementing an information\n                               security management program that addresses the risks and vulnerabilities facing\n\n\n5\n    Electronically Managing Enterprise Resources for Government Effectiveness and Ef\xef\xac\x81ciency.\n\n\n\nPage 6                                Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0c                           DHS\xe2\x80\x99 IT systems. As part of its 2003 FISMA evaluation,6 the OIG reported that\n                           none of the DHS components had fully functioning IT security programs; and,\n                           there were a number of key areas including systems security risk assessment,\n                           planning, testing, and certi\xef\xac\x81cation and accreditation that required management\n                           attention. The OIG recommended that the CIO designate information security a\n                           material weakness at DHS. Presently, the CIO is re\xef\xac\x81ning and updating IT security\n                           plans, policies, and procedures and has implemented an automated software tool\n                           to conduct self-assessments to better manage systems security.\n\n    CIO Organizational Structure\n    Is Not Optimal\n                           Despite federal laws and guidance on establishing effective IT organizations, the\n                           DHS CIO is not well positioned to meet the department\xe2\x80\x99s IT challenges. With\n                           limited resources to carry out his responsibilities, the CIO lacks the authority and\n                           the relationships with DHS executive, line, and IT managers across department\n                           components to guide them in applying technology to accomplish the department\xe2\x80\x99s\n                           missions. While the decisions on structuring and staf\xef\xac\x81ng the CIO organization\n                           were well intentioned, they have not provided the CIO a sound basis from which\n                           to pursue the goals of \xe2\x80\x9cone network, one infrastructure, one DHS.\xe2\x80\x9d At this\n                           critical juncture in the department\xe2\x80\x99s evolution, the CIO would bene\xef\xac\x81t from a more\n                           centralized IT management structure and additional staff support to help govern\n                           shared IT programs and services as well as to help better direct the components\xe2\x80\x99\n                           mission and supporting technologies in a concerted manner.\n\n                           CIO is Not Well Positioned to Guide IT Department-wide\n\n                           Federal laws and regulations recognize the importance of IT to agency missions\n                           and emphasize the need for a centrally positioned, senior level proponent who\n                           is responsible for strategically managing technology assets and programs across\n                           the agency. Accordingly, federal guidelines require that each executive agency\n                           position a CIO as a member of the senior executive team with the accountability\n                           and responsibility to manage IT across organizational units. The CIO should\n                           report to the agency head, providing advice and assistance to this of\xef\xac\x81cial on\n                           how best to implement and manage IT to improve productivity, ef\xef\xac\x81ciency, and\n                           effectiveness. Additionally, the CIO is to serve as a bridge between senior\n                           executives, line managers, and technical professionals to ensure that IT strategies\n\n6\n Information Technology: DHS Information Security Program Evaluation, FY2003, Of\xef\xac\x81ce of Information Technology, Of\xef\xac\x81ce of Inspector\nGeneral, Department of Homeland Security, OIG-IT-03-02, September 2003.\n\n\n                Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure                                   Page 7\n\x0c         are communicated effectively and implemented department-wide. Where more\n         than one CIO or senior IT of\xef\xac\x81cial is designated, the respective duties of the\n         of\xef\xac\x81cials must be clearly delineated.\n\n                DHS CIO is Not a Member of the Senior Management Team\n\n         The DHS CIO is not positioned effectively within the department\xe2\x80\x99s hierarchy\n         to meet these requirements. The CIO, who does not report to the Secretary or\n         the Deputy Secretary, is not a member of the department\xe2\x80\x99s senior executive\n         management team. He does not serve as a peer to the DHS Under Secretaries or\n         component directors, nor does he have the opportunity to discuss department-wide\n         IT issues, such as IT planning, investment management, or budgeting, or have the\n         power and in\xef\xac\x82uence to guide IT initiatives within DHS components.\n\n         Rather, the CIO reports to the Under Secretary for Management, one of the\n         department\xe2\x80\x99s major components. The CIO is a peer to other operational\n         of\xef\xac\x81cers\xe2\x88\x92such as the chief \xef\xac\x81nancial of\xef\xac\x81cer, the chief human capital of\xef\xac\x81cer, and\n         the chief procurement of\xef\xac\x81cer\xe2\x88\x92and competes with these of\xef\xac\x81cials for resources\n         to carry out his speci\xef\xac\x81c responsibilities. Together, these of\xef\xac\x81cials meet with the\n         Under Secretary on a bi-weekly basis to discuss and coordinate activities within\n         their respective of\xef\xac\x81ces. In this forum, they can elevate unresolved issues among\n         their various of\xef\xac\x81ces to senior management attention. They can also learn second\n         hand about issues discussed at more senior executive levels within the department\n         and their role in helping to accomplish department-wide program goals. Because\n         there is no forum to routinely and directly raise IT issues with the DHS Secretary,\n         the DHS CIO must appeal through the Under Secretary for Management for\n         support. Also, the activities and budgets of the CIO are subject to approval by the\n         Under Secretary for Management.\n\n         At this subordinate level, the CIO has no authority over the more senior\n         component directors that he is supposed to be overseeing in terms of IT. The\n         CIO must rely on informal channels, rather than the of\xef\xac\x81cial reporting structure, to\n         accomplish IT objectives. For example, according to DHS IT of\xef\xac\x81cials, the CIO\n         leverages his working relationships with former IT staff who have transferred to\n         various directorates to promote IT shared services objectives and build working\n         relationships with component line managers.\n\n\n\n\nPage 8        Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0c                  Component CIOs Not Linked to DHS CIO\n\n          There is no documented, formal reporting relationship between the DHS CIO\n          and the CIOs of the major DHS component organizations. Of\xef\xac\x81cially, these\n          CIOs report to their directorate managers\xe2\x88\x92but not to the DHS CIO. As such, the\n          DHS CIO does not have the power or in\xef\xac\x82uence to guide IT initiatives across the\n          department. Figure 1 provides a DHS organization chart depicting these CIO\n          relationships.\n\n          Figure 1: DHS Organization Structure\n\n\n\n\n          There is no written policy to indicate the DHS CIO\xe2\x80\x99s role towards the component\n          CIOs or their IT infrastructures. Policies to de\xef\xac\x81ne and communicate these roles\n          and responsibilities of the component level CIOs and their technical staff vis-\n          \xc3\xa0-vis the DHS CIO do not exist. For example, the majority of DHS network\n          administrators do not report through a chain of command that links to the\n          DHS CIO. Although the DHS CIO is responsible for management of the IT\n\n\n\nImprovements Needed to DHS\xe2\x80\x99 Information Technology Management Structure             Page 9\n\x0c          infrastructure, he does not have any administrative or technical control over the\n          components\xe2\x80\x99 disparate networks.\n\n          Further, in some instances, the directorates do not involve or apprise the DHS\n          CIO of their individual IT projects or initiatives. Component IT managers and\n          their staff might be required to support their respective directorates on initiatives\n          that may directly contradict or interfere with initiatives of the DHS CIO. For\n          example, leadership in some directorates is resistant to the idea of transferring any\n          of their IT infrastructure to the control of the CIO, with the belief that, if anything\n          were to go wrong in support of their missions, they, not the DHS CIO, would\n          be held accountable. Department-wide support and buy-in will be critical if the\n          CIO is to achieve the objective of \xe2\x80\x9cone network, one infrastructure\xe2\x80\x9d by December\n          2005.\n\n          CIO Staff Resources Are Inadequate\n\n          Despite his wide-ranging responsibilities for consolidating DHS\xe2\x80\x99 IT infrastructure,\n          the CIO has a small staff consisting of IT and systems security specialists and IT\n          policy, planning, management, and budget analysts, to support him. Across the\n          six functional areas, the CIO only has been authorized to hire about 65 employees\n          to support a department of over 180,000 employees. As of May 2004, only 49 of\n          these positions were \xef\xac\x81lled. Of\xef\xac\x81cials throughout the department have expressed\n          concern that this is an inadequate number of staff to meet the many challenges in\n          providing IT support services and consolidating technology systems, facilities,\n          and initiatives across 22 different components in the new department.\n\n          The CIO has relied upon detailees from other component organizations as\n          well as contractors to help satisfy the large amount of work that remains to be\n          accomplished. For example, two of the directors in the of\xef\xac\x81ce of the CIO are on\n          loan from other organizations. Further, a CIO working group formed to develop\n          the \xef\xac\x81rst version of the DHS enterprise architecture consisted of detailees from\n          various DHS organizational elements. According to the director of Planning and\n          Enterprise Architecture, understaf\xef\xac\x81ng and inadequate support from the CIO of\xef\xac\x81ce\n          resulted in the detailees working overtime each day for several weeks to meet the\n          August 1st deadline for developing the enterprise architecture. In May 2004, the\n          CIO estimated that his of\xef\xac\x81ce had about 121 contractors and detailees on staff.\n\n          The bene\xef\xac\x81t to having the detailees and contractors on board is that these personnel\n          can become familiar with the organization and its systems and can share best\n          practices to help foster improvements. In some instances, it is easier to \xef\xac\x81nd\n\n\n\nPage 10        Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0c                           subject matter experts within the ranks of detailees and contractors on fairly\n                           short notice than to wait for full-time hires. In other instances, the temporary\n                           employees may lack the expertise needed to be effective. Another problem is that\n                           there is a loss of continuity of services when the detailees or contractors return to\n                           their home of\xef\xac\x81ces or are reassigned.\n\n                           In comparison with the DHS CIO resources, the individual components within\n                           the department have much larger IT staffs, which they brought with them when\n                           they became part of DHS in 2003. Few, if any, are under the purview of the DHS\n                           CIO. Some of the individual component IT shops within DHS are proportionately\n                           much bigger than the DHS CIO\xe2\x80\x99s of\xef\xac\x81ce. For example, as the Government\n                           Accountability Of\xef\xac\x81ce (formerly the General Accounting Of\xef\xac\x81ce) reported in\n                           May 2004,7 the CIO organization of the former Federal Emergency Management\n                           Agency8 has about 262 permanent employees and approximately 70 temporary\n                           (disaster-related) employees. The Transportation Security Administration reports\n                           that its CIO organization has roughly 145 employees. The Coast Guard reports\n                           that its CIO organization has approximately 140 employees. Together, these three\n                           component CIO organizations account for about 600 positions and control about\n                           $3.6 billion in \xef\xac\x81scal year 2004 IT budget and spending.\n\n                           CIO of\xef\xac\x81cials told the OIG that given their relatively small staff resources they\n                           have been \xe2\x80\x9cbusy putting out \xef\xac\x81res\xe2\x80\x9d in efforts to help get the new department up\n                           and running. As a result, they have been hindered in carrying out some of their\n                           critical IT management responsibilities. For example, they have not been able to\n                           put in place all of the plans to govern IT human capital management across the\n                           department. Likewise, they have not been able to institute the central guidance\n                           and standards needed for functions such as information security, network\n                           management, telecommunications, or web-based applications. Further, the\n                           CIO of\xef\xac\x81ce has not had the chance to institute a systems development life cycle\n                           methodology or update established IT policies and procedures. Without such\n                           up-to-date, documented IT direction, inconsistencies in the department-wide\n                           processing environment could occur.\n\n                           To maximize the potential of its limited staff resources and ensure productivity,\n                           the CIO uses a matrixed management approach to accomplish IT responsibilities.\n                           This means using a variety of support staff, project teams, and working groups.\n                           Each of the \xef\xac\x81ve directors in the CIO of\xef\xac\x81ce has a working group with cross-agency\n\n7\n  Information Technology: Homeland Security Should Better Balance Need for System Integration Strategy with Spending for New and\nEnhanced Systems, U.S. General Accounting Of\xef\xac\x81ce (GAO-04-509, May 21, 2004).\n8\n  The former Federal Emergency Management Agency now comprises the Emergency Preparedness and Response directorate within DHS.\n\n\n                Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure                                 Page 11\n\x0c          representation to support efforts in their functional areas regarding enterprise-\n          wide programs. The bene\xef\xac\x81t of the matrixed management organization is that\n          it integrates various viewpoints, resulting in more cross-agency and thorough\n          decision-making.\n\n          One of the component CIOs said that the matrixed approach is patterned after\n          a model designed by the former CIO of General Motors Corporation in the late\n          1990s. At General Motors, information of\xef\xac\x81cers were responsible for educating\n          the senior management teams on the value of IT, while process information\n          of\xef\xac\x81cers were responsible for identifying common processes and systems across\n          business units. Both positions reported directly to the corporate CIO, as well\n          as their respective unit executives. This matrixed staf\xef\xac\x81ng model helped ensure\n          accountability in the large, complex General Motors organization. However, the\n          model is not readily applicable to DHS because, whereas the General Motors\n          CIO was part of the senior executive team and had signi\xef\xac\x81cant authority over IT\n          as well as the business, the DHS CIO is positioned at a lower organizational level\n          and does not drive IT department-wide. As one industry CIO observed, an IT\n          manager needs business clout\xe2\x88\x92not a \xe2\x80\x9cstick,\xe2\x80\x9d but power and in\xef\xac\x82uence through top\n          leadership buy-in to ensure the ability to accomplish business change.\n\n          DHS Had Discretion in Establishing its IT Organization\n\n          The current IT management structure can be traced back to the Homeland\n          Security Act, which authorizes the DHS Secretary to position the CIO\n          discretionally within the organization. DHS managers told the OIG that of\xef\xac\x81cials\n          within the White House Of\xef\xac\x81ce of Homeland Security made the decision to have\n          the CIO report to the Under Secretary for Management. The Under Secretary for\n          Management was in agreement with this reporting relationship.\n\n          The limited CIO of\xef\xac\x81ce staf\xef\xac\x81ng dates back to the inception of DHS and is,\n          according to senior DHS of\xef\xac\x81cials, the result of a cap set on overhead expenses\n          and staff resources for DHS headquarters. The Management Directorate, as well\n          as the Secretary\xe2\x80\x99s of\xef\xac\x81ce, was limited to a total of 800 employees. Of the 800, a\n          total of about 65 staff was allotted to the CIO of\xef\xac\x81ce.\n\n          Another contributing factor to the problems with limited staff resources is that all\n          employees in the CIO of\xef\xac\x81ce must have at least secret level clearances. Obtaining\n          a clearance is a time-consuming process managed by the Of\xef\xac\x81ce of Personnel\n          Management and largely beyond DHS control. According to the chief human\n          capital of\xef\xac\x81cer, because of the Of\xef\xac\x81ce of Personnel Management\xe2\x80\x99s backlog of new\n\n\n\nPage 12        Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0c                 recruits requiring background investigations, it currently takes an average of about\n                 250 days to hire an employee.\n\n                 DHS CIO Would Bene\xef\xac\x81t from Greater Organizational Authority\n                 and Staff Resources\n\n                 While there is no one way to position a CIO, the best approach is to structure\n                 the IT organization to meet the existing need. In our opinion, the decentralized\n                 IT model that DHS has chosen is not the appropriate one at this critical time as\n                 the department evolves, integrates, and institutionalizes its operations. Senior\n                 IT experts said that IT decentralization may be effective in well established\n                 organizations with well de\xef\xac\x81ned authorities, management reporting relationships,\n                 and accountabilities. Senior IT of\xef\xac\x81cials also indicated that IT decentralization\n                 might work in entities that are smaller and relatively easy to control.\n\n                 However, decentralized IT is not effective in a large, complex organization like\n                 DHS, which is still working to eliminate duplication, integrate systems, and\n                 achieve IT sharing and unity across its 22 legacy agencies. More centralized CIO\n                 control is particularly critical at DHS where component missions and objectives\n                 are often in con\xef\xac\x82ict with one another. A central advocate may be needed to\n                 decide amongst them. For example, both the US Citizenship and Immigration\n                 Services and the Customs and Border Protection directorates are developing\n                 case management systems. The DHS CIO initially opposed acquiring two\n                 separate systems with essentially the same functionality, viewing the duplication\n                 as a wasteful investment. However, the director of the U.S. Citizenship and\n                 Immigration Service overrode the CIO\xe2\x80\x99s intention to make this a shared endeavor.\n\nCIO Does Not Manage IT\nDepartment-wide\n                 The de\xef\xac\x81ciencies in CIO positioning and authority are exempli\xef\xac\x81ed by the\n                 fragmented manner in which IT investments are managed across the department.\n                 Although federal guidance calls for CIOs to play a key role in managing\n                 department-wide IT resources, the DHS CIO has a limited role in the department\xe2\x80\x99s\n                 investment review process. It is largely con\xef\xac\x81ned to consensus building to\n                 manage infrastructure and selected joint or consolidated systems while mission\n                 applications and component level IT investments continue to be managed in\n                 a decentralized manner. Such oversight limitations hamper CIO progress in\n\n\n\n\n       Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure               Page 13\n\x0c          accomplishing the vision of eliminating redundancies among the legacy IT\n          systems and programs at all levels across the department.\n\n          CIO Does Not Oversee All IT Investments\n\n          Federal guidelines give the CIO, in partnership with senior agency executives,\n          the responsibility for ensuring effective management of organization-wide IT\n          to support agency business and missions. To help carry out this responsibility,\n          CIOs are to play a key role in disciplined agency investment review processes for\n          selecting, controlling, and evaluating IT investments to help maximize return on\n          investment and accomplish mission objectives and results.\n\n          According to these requirements, DHS has taken steps to establish a process for\n          its investment decision-making and management. Speci\xef\xac\x81cally, Management\n          Directive Policy #1400: Investment Review Process provides guidance for\n          reviewing both IT and non-IT investments in the department. DHS\xe2\x80\x99 investments\n          are categorized into four levels based on a combination of factors, including\n          mission criticality, dollar thresholds, and sponsorship. The levels specify the\n          documentation required for the IT investment review, as well as what of\xef\xac\x81ce\n          or of\xef\xac\x81cial within the department\xe2\x80\x99s hierarchy is responsible for making the\n          investment approval and oversight decisions.\n\n          However, the CIO does not oversee or control the process for managing IT\n          investments at all levels throughout the department. The following \xef\xac\x81gure\n          provides an overview of the DHS investment review process (IRP) and is\n          followed by a discussion of the CIO\xe2\x80\x99s role at each investment level.\n\n\n\n\nPage 14        Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0c                             Figure 2: Overview of DHS\xe2\x80\x99 Investment Review Process\n\n\n\n\n                                       Major and Mission Critical Investments\n\n                             The CIO is not the principal proponent for Level 1 investments, which are\n                             mission critical programs with contract costs over $50 million. Rather, a DHS\n                             Investment Review Board (IRB) headed by the Deputy Secretary is responsible\n                             for reviewing major, mission-critical investments\xe2\x88\x92both non-IT and IT\xe2\x88\x92at this\n                             level. The projects are reviewed for approval and progress, primarily based on\n                             \xe2\x80\x9cExhibit 300\xe2\x80\x9d9 business case documentation, which is developed for submission\n                             to the Of\xef\xac\x81ce of Management and Budget pursuant to the annual budget process.\n\n                             The IRB consists primarily of DHS senior executives from each DHS major\n                             component, along with other key of\xef\xac\x81cials from the of\xef\xac\x81ce of the Under Secretary\n                             for Management. The CIO is a voting member of the IRB and, as needed,\n                             may be called upon to provide guidance on IT investments to more senior\n                             level of\xef\xac\x81cials. However, the CIO does not have the \xef\xac\x81nal say in \xe2\x80\x9cLevel 1\xe2\x80\x9d IT\n                             decisions. For example, of\xef\xac\x81cials told the OIG that although the CIO did not\n                             recommend continuing with development of a second case management system\n                             within Customs and Border Protection, the Deputy Secretary decided to proceed\n                             anyway. The CIO\xe2\x80\x99s rationale was that a comparable case management system\n                             already under development in CIS could provide the functionality needed for both\n                             components.\n\n9\n  Exhibit 300s are documents by which project teams can demonstrate to agency management and the Of\xef\xac\x81ce of Management and\nBudget that they have employed the disciplines of good project management, represented a strong business case, and met other federal\nrequirements to de\xef\xac\x81ne the proposed cost, schedule, and performance goals for an investment if funding approval is obtained.\n\n\n                 Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure                                       Page 15\n\x0c          Further, because the CIO does not manage the investment process at \xe2\x80\x9cLevel 1,\xe2\x80\x9d he\n          cannot ensure that major IT investment reviews are conducted in a timely manner\n          to provide the approvals necessary at key points during a system\xe2\x80\x99s life cycle.\n          Financial of\xef\xac\x81cers are responsible for coordinating meetings of the IRB. Despite\n          the amount of money expended on major IT systems and initiatives across the\n          department, the IRB has held infrequent meetings to oversee these investments.\n          Many of the meetings scheduled have been cancelled or postponed.\n\n          Speci\xef\xac\x81cally, since May 2003, the IRB has scheduled 21 meetings, but postponed\n          or canceled 12 of them. Several were related to highly visible IT initiatives\n          such as US-VISIT, IT infrastructure, and the SAFECOM project for wireless\n          communications to support emergency response. Senior DHS of\xef\xac\x81cials said the\n          IRB delays are due to its high-level membership with competing priorities and\n          the fact that the board is just starting out and as yet has no sense of urgency to\n          get things done. Financial of\xef\xac\x81cers attributed the missed meetings to inadequate\n          business case information provided by the responsible units to support their\n          programs. These of\xef\xac\x81cials said that it is a major challenge to get DHS components\n          to adequately prepare this information in advance for the IRB reviews. Similarly,\n          in its feedback on the President\xe2\x80\x99s budget for FY 2005, the Of\xef\xac\x81ce of Management\n          and Budget stated that while over half of DHS\xe2\x80\x99 business cases were acceptable,\n          continued improvement is still needed.\n\n          Missed milestones due to the IRB meeting cancellations have placed some\n          projects at risk. For example, Customs and Border Protection of\xef\xac\x81cials told the\n          OIG that an August 2003 IRB review of the Automated Commercial Environment\n          project was repeatedly rescheduled to the point where some parts of the project\n          ran out of funding and the project was placed on hold. The project did not get the\n          funding it needed to see it through the remainder of the \xef\xac\x81scal year until the IRB\n          met and reviewed the project in December 2003.\n\n                 Signi\xef\xac\x81cant \xe2\x80\x9cLevel 2\xe2\x80\x9d Investments\n\n          The Management Review Council, responsible for \xe2\x80\x9cLevel 2,\xe2\x80\x9d has never met. This\n          Level is comprised of signi\xef\xac\x81cant IT initiatives with contract costs from $5 to $50\n          million. The Management Review Council is to review high visibility IT and\n          non-IT programs that may impact more than one DHS component. These reviews\n          are to be based on \xe2\x80\x9cExhibit 300\xe2\x80\x9d budget documentation or a subset thereof.\n          According to Management Directive #1400, the Council is comprised of the\n          CIO, the Chief Financial Of\xef\xac\x81cer and the Chief Procurement Of\xef\xac\x81cer. However,\n\n\n\n\nPage 16        Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0c                              approval and decision-making authority regarding Level 2 programs rests with the\n                              directorate heads and under secretaries for the program\xe2\x80\x99s sponsoring directorate.\n\n                                                  Component-level IT Investments\n\n                              Just as there is no formal reporting relationship between the DHS CIO and the\n                              component level CIOs, the DHS CIO also does not control \xe2\x80\x9cLevel 4\xe2\x80\x9d investments.\n                              This level is comprised of IT investments for directorates or organizational\n                              elements that cost less than $5 million. Rather, senior of\xef\xac\x81cials in the DHS\n                              components have approval authority for these systems investments. The costs\n                              for component systems are generally included on the \xe2\x80\x9cExhibit 53\xe2\x80\x9d IT budget\n                              summaries annually submitted to the Of\xef\xac\x81ce of Management and Budget.10 A\n                              number of DHS components also have their own processes for reviewing and\n                              managing their IT investments apart from DHS CIO purview. Although the CIO\n                              is supposed to review and approve the component\xe2\x80\x99s investment management\n                              processes and randomly select \xe2\x80\x9cLevel 4\xe2\x80\x9d investments to ensure compliance with\n                              IT review procedures, this is not being done.\n\n                              The DHS CIO may not be aware of all IT systems that are being implemented\n                              by components in DHS. DHS \xef\xac\x81eld of\xef\xac\x81ces have implemented systems that do\n                              not comply with CIO standards and requirements. For example, without the\n                              DHS CIO\xe2\x80\x99s knowledge, one of\xef\xac\x81ce had implemented a mission critical web-based\n                              application without the appropriate investment planning, documentation, and\n                              cost estimates. While \xef\xac\x81nancial management of\xef\xac\x81cials said that such systems are\n                              accounted for in the department\xe2\x80\x99s \xe2\x80\x9cExhibit 53\xe2\x80\x9d IT investment portfolio submitted\n                              to the Of\xef\xac\x81ce of Management and Budget, only major programs are line items in\n                              this document and the system was not included. The application has not been\n                              certi\xef\xac\x81ed and accredited, although sensitive information on people is stored in the\n                              system. A DHS \xef\xac\x81eld of\xef\xac\x81ce created the application using open source code in a\n                              program that is not supported by the component CIO. At one time, the system\n                              even used a \xe2\x80\x9c.com\xe2\x80\x9d web address rather than the required \xe2\x80\x9c.gov\xe2\x80\x9d web address.\n\n                              This system is not currently on the department\xe2\x80\x99s network. However, given\n                              \xef\xac\x81eld of\xef\xac\x81ce independence, the component CIO believed that this could certainly\n                              be done without his or the DHS CIO\xe2\x80\x99s knowledge, posing signi\xef\xac\x81cant security\n                              vulnerabilities. Other organizational elements could independently be purchasing\n                              systems that may not work together with the overall DHS technical foundation\n\n10\n   An exhibit 53s is a roll-up of an agency\xe2\x80\x99s major IT programs to comprise the agency\xe2\x80\x99s IT investment portfolio. This report, submitted to\nthe Of\xef\xac\x81ce of Management and Budget as part of the federal budget process, provides the basic information that an agency needs to link its\nplanning, budgeting, acquisition, and management of IT resources.\n\n\n                 Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure                                          Page 17\n\x0c          and thus not meet DHS mission and business needs or performance objectives.\n          Greater central CIO oversight and control would ensure more discipline in\n          department-wide IT investment management practices.\n\n                         Joint, Consolidated, or Cross-Cutting IT Investments\n\n          It is at \xe2\x80\x9cLevel 3\xe2\x80\x9d that the CIO has the most responsibility over IT investments.\n          \xe2\x80\x9cLevel 3\xe2\x80\x9d programs have annual costs of $1 to $5 million or life cycle costs of\n          $5 to $20 million. At this level, the CIO chairs an Enterprise Architecture Board\n          (EAB), which is essentially the same body as the CIO Council, transformed\n          to constitute the EAB when an investment decision must be made. The EAB\n          is comprised of component-level CIOs and chief \xef\xac\x81nancial of\xef\xac\x81cer and chief\n          procurement of\xef\xac\x81cer designees. According to Management Directive #1400, the\n          EAB should include crosscutting business line managers; however, these of\xef\xac\x81cials\n          only attend meetings on an as needed basis. Rather, the EAB generally includes\n          only IT personnel and, as such, does not provide a venue for including business\n          perspectives on IT directions.\n\n          Management Directive #1400 does not explain the EAB\xe2\x80\x99s role or its\n          transformation from the CIO Council. Because there are no minutes from EAB\n          meetings, the OIG was unable to verify EAB proceedings or results. However,\n          Management Directive #1400 states that the board supports department-wide\n          strategic planning and helps establish strategic guidance. The EAB also reviews\n          and approves individual IT system investments, such as US-VISIT. The CIO uses\n          the board to identify joint or consolidated IT programs that can help integrate and\n          create ef\xef\xac\x81ciencies across the department.\n\n          The board is responsible for reviewing programs to ensure alignment with\n          the department\xe2\x80\x99s enterprise architecture. Version one of architecture, was\n          released in September 2003. In addition, in the context of the EAB, the CIO in\n          conjunction with the chief \xef\xac\x81nancial of\xef\xac\x81cer established the \xe2\x80\x9ceMerge2\xe2\x80\x9d program\n          as an enterprise architecture pilot program. The objectives of the program are to\n          transform DHS business and \xef\xac\x81nancial policies, processes, and applications and\n          eliminate disparate, redundant, and non-integrated systems. The requirements\n          and architecture development contracts for the \xe2\x80\x9ceMerge2\xe2\x80\x9d program were awarded\n          in December 2003. The CIO\xe2\x80\x99s director of Planning and Enterprise Architecture\n          has been assigned as the contracting of\xef\xac\x81cer representative and is responsible for\n          administering and monitoring the \xe2\x80\x9ceMerge2\xe2\x80\x9d program to ensure compliance with\n          the contract terms and conditions.\n\n\n\n\nPage 18        Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0c          Although the CIO is responsible for implementing improvements throughout the\n          department\xe2\x80\x99s IT infrastructure, the CIO actually owns relatively little of these\n          resources. The CIO basically controls the DHS headquarters infrastructure, which\n          includes the backbone and some of the crosscutting IT programs and services.\n          For example, the CIO controls the routers, switches, and hubs comprising the\n          department-wide network. His of\xef\xac\x81ce outlines the policies and guidance related to\n          IT infrastructure products and services, and provides operational support to DHS\n          headquarters elements in this regard. The of\xef\xac\x81ce also administers the department-\n          wide security program, providing the tools and support to safeguard and report\n          on security of IT assets in line with FISMA requirements. Further, his of\xef\xac\x81ce is\n          responsible for web portal capability and delivery of information through the\n          DHS Intranet and Internet sites. The CIO does not own any of the many mission\n          and administrative systems and facilities within the various components, such as\n          mission-speci\xef\xac\x81c applications and data centers. The IT infrastructure managed by\n          the CIO amounts to only $185 million of the department\xe2\x80\x99s total $4 billion budget\n          for information technology.\n\n          CIO Relies on CIO Council Forum to Accomplish IT Objectives\n\n          Given that the CIO does not control much of the department\xe2\x80\x99s IT programs,\n          he relies on communication, cooperation, and coordination in the context of\n          the CIO Council to work towards achieving the objectives of a uni\xef\xac\x81ed DHS\n          IT infrastructure. The CIO Council is comprised of the CIOs from each DHS\n          component, ex of\xef\xac\x81cio representatives from General Counsel, the Chief Financial\n          Of\xef\xac\x81cer\xe2\x80\x99s Council, the Of\xef\xac\x81ce of the CIO, and the Executive Procurement\n          Executive Council. The CIO Council was chartered to develop, promulgate,\n          implement, and manage a vision and direction for information resources and\n          telecommunications management within DHS. The council is a forum for\n          discussing and coordinating IT systems and programs that are new or have\n          potential for DHS-wide impact. Council members also advise the CIO on policy\n          and \xef\xac\x81scal issues having a direct bearing on IT and the abilities of the components\n          to perform their individual and collective missions. The CIO uses the Council\n          as a means to gain cooperation among DHS components regarding opportunities\n          for IT consolidation, common infrastructure services, and information sharing\n          with other agencies. Such cooperation is especially critical when component\n          leadership initially may not want to give up resources to support department-wide\n          IT initiatives.\n\n          However, rather than an authoritative and strategic decision-making body, the\n          CIO Council has evolved into a large information-reporting session where the\n\n\n\nImprovements Needed to DHS\xe2\x80\x99 Information Technology Management Structure              Page 19\n\x0c                    individual CIOs share updates about the IT activities within their organizations.\n                    One IT of\xef\xac\x81cial described the Council as a free \xef\xac\x82owing, unstructured body that\n                    lacks focus to move beyond talking about IT issues. This is re\xef\xac\x82ected in CIO\n                    Council meeting minutes where \xe2\x80\x9cdecision items\xe2\x80\x9d are really administrative action\n                    items for future meetings rather than productive outcomes. Further, once the\n                    decision items have been completed, there is little documentation of the outcomes\n                    or deliverables in subsequent meeting minutes.\n\n                    The CIO Council is supported by a multitude of committees, working groups,\n                    and boards that were established in an ad hoc manner and often have unclear or\n                    overlapping functions, creating a confusing IT governance environment. For\n                    example, one IT manager indicated that each division within the CIO of\xef\xac\x81ce\n                    has its own working group that meets periodically with people throughout the\n                    department to keep everyone abreast of new IT developments and opportunities\n                    for cross-functional solutions. Nonetheless, IT of\xef\xac\x81cials said that they plan to\n                    create still other working groups to address IT issues as they arise. Another\n                    IT of\xef\xac\x81cial indicated that a Technical Review Board was created on paper, but\n                    has never held a meeting. Similarly, per CIO Council minutes, a Web Services\n                    Board has been has been awaiting a charter for over two months, but it has never\n                    come to fruition. The DHS CIO estimated that more than 40 different IT working\n                    groups have been established. However, his of\xef\xac\x81ce could not provide the OIG\n                    with a complete list of the many different forums. In February 2004, the DHS\n                    CIO discussed plans to disband some of these working groups and consolidate the\n                    remainder into centers of excellence.\n\n          Opportunities Exist for CIO\n          Management Structure Improvements\n\n                    A number of government agencies successfully aligned their CIO management\n                    structure according to relevant IT legislation. These successful CIO organizations\n                    provide useful practices and lessons learned that DHS could adopt to help\n                    improve its IT management. Their practices might also be considered and applied\n                    as part of efforts underway to transition DHS to a more centralized IT support\n                    operation.\n\n                    Examples of Effective Federal CIO Organizations\n\n                    The OIG met with senior IT of\xef\xac\x81cials from three other agencies to discuss how,\n                    based on federal guidelines, they structured their IT organizations to effectively\n                    support mission needs. Speci\xef\xac\x81cally, the OIG visited the CIOs of the Veterans\n\n\nPage 20                  Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0c          Administration (VA), Federal Deposit Insurance Corporation (FDIC), and the\n          Department of Energy (Energy), organizations that are either comparable to DHS\n          in terms of complexity or were recommended by the DHS of\xef\xac\x81cials as models\n          for potential review. The CIOs at these organizations told the OIG about the IT\n          authority afforded them via organizational positioning and reporting relationships,\n          supporting of\xef\xac\x81ce structures, and control of IT investment review processes. The\n          following table summarizes this information in comparison with the DHS CIO\n          management structure.\n\n          Table 1: Comparison of DHS and Leading CIO Organizations\n\n                          CIO                           IT         IT\n                        Controls                    Full-time   Contract  FY 04\n                Reports Senior IT                     Staff      Staff   $ Total   CIO      CIO\n                 to the Managers  Total              Under       Under      IT   Controls Controls\n                Agency Agency- Agency                 CIO         CIO    Budget All IT      IRP\n          AGENCY Head     wide    Staff              Control    Control (Billion) Assets Process\n             DHS       No       No       180,000           49        121    4.0 B   No      No\n           Energy     Yes       Yes       14,500          113        207    2.7 B   Yes     Yes\n            FDIC       No       Yes         5,305        400         540   .219 B   Yes     Yes\n              VA      Yes       Yes      211,764         300         550    1.5 B   Yes     Yes\n\n\n          Unlike DHS, two of the three other federal CIOs report directly to their agency\n          heads. While the CIO of the FDIC reports to the chief operating of\xef\xac\x81cer rather\n          than the chairman, the CIO nonetheless attends the chairman\xe2\x80\x99s meetings and can\n          directly advise and in\xef\xac\x82uence this of\xef\xac\x81cial on agency-wide IT matters. Further, the\n          other CIOs have authority over component IT managers and all IT assets within\n          their organizations. This is not so at DHS. Additionally, IT staff under the DHS\n          CIO\xe2\x80\x99s control are signi\xef\xac\x81cantly fewer than at the other agencies. For example, the\n          CIO at the VA, which is most comparable in size and budget to DHS, has 300 IT\n          staff while the DHS CIO only has 49. The following case studies provide more\n          details on the individual CIO organizations studied.\n\n                   Energy CIO\n\n          The CIO at the Department of Energy reports directly to the Secretary and Deputy\n          Secretary, with the ability to provide each with technical advice\xe2\x88\x92a critical aspect\n          of the CIO function. The CIO is also a member of the executive management\n          team\xe2\x88\x92a peer to the Under Secretaries, the Chief Financial Of\xef\xac\x81cer, and other\n          senior program of\xef\xac\x81cials from component organizations. As such, the CIO has the\n          authority and control needed to strategically manage IT across the department.\n\n\n\nImprovements Needed to DHS\xe2\x80\x99 Information Technology Management Structure                      Page 21\n\x0c          The CIO partners closely with the Chief Financial Of\xef\xac\x81cer on initiatives such as\n          electronic government and is a member of key advisory boards and committees.\n          Previously, the Energy CIO was positioned in different of\xef\xac\x81ces within the\n          department\xe2\x80\x99s organizational structure, including the human resources, and\n          management and budget of\xef\xac\x81ces. However, the incumbent believes that the CIO\xe2\x80\x99s\n          current reporting relationships are highly effective and in line with Clinger-Cohen\n          Act requirements as well as leading agency practices.\n\n          The Energy CIO has the resources and commitment needed to support the\n          department\xe2\x80\x99s IT environment. Speci\xef\xac\x81cally, the Energy CIO has a deputy CIO,\n          \xef\xac\x81ve associate CIOs, 113 full-time staff, and 207 contractors to support her.\n          Collectively, they are providing IT support to the department\xe2\x80\x99s 14,500 employees.\n          To ensure that department-wide needs are adequately represented, the Energy\n          CIO works with associate CIOs from the various component organizations who\n          serve as liaisons to their respective business and program units regarding major\n          IT initiatives. These liaisons do not report directly to the CIO. However, because\n          the Energy CIO is an equal partner with the Under Secretaries responsible for\n          the components, the CIO can oversee and provide input and technical advice\n          regarding component IT operations.\n\n          The Energy CIO has oversight of all IT investments and has instituted\n          mechanisms to ensure the effective application of technology to help carry out the\n          agency\xe2\x80\x99s missions and business. For example, the CIO developed an IT Strategic\n          Plan aligned with the department\xe2\x80\x99s overarching strategic business plan. In\n          addition, the CIO is responsible for creating all policies and procedures regarding\n          IT issues. The Energy CIO also has developed an enterprise architecture and\n          standards for guiding IT investments and modernization initiatives, and ensures\n          that they support the agency plan. The architecture will be used to help break\n          down some of the IT stove pipes that still exist in the organization. Currently, the\n          CIO is conducting a study to inventory all IT assets to determine which can be\n          consolidated and possibly contracted out.\n\n          The Energy CIO is a major player in the department\xe2\x80\x99s capital planning and\n          investment control processes. In the context of these review processes, the CIO\n          can ensure that department-wide IT investments are aligned with IT strategies,\n          policies, and architectures and meet performance expectations. The CIO co-\n          chairs a Technical Review Board that serves to guide and oversee IT investment\n          initiatives throughout the department, which uses a balanced scorecard approach\n          to measure IT performance. The CIO has instituted about 30 management\n          directives to support IT planning and investment control processes. For Example,\n\n\n\nPage 22        Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0c          investments are presented to a Capital Review Board\xe2\x88\x92the ultimate investment\n          decision-making body within the department, chaired by the Deputy Secretary.\n          The review board is responsible for a range of strategic management and\n          investment decisions regarding all types of programs, including IT. As a voting\n          member of the Capital Review Board along with all other department executives,\n          the CIO has been able to strategically align IT programs to support department-\n          wide needs. Committed to IT success, the Secretary and the Deputy Secretary\n          have also established a committee to monitor performance in areas such as\n          cyber security and e-government to improve Energy\xe2\x80\x99s grade on the Of\xef\xac\x81ce of\n          Management and Budget\xe2\x80\x99s scorecard for IT.\n\n                  FDIC CIO\n\n          The FDIC CIO does not report directly to the chairman for day-to-day matters,\n          but reports to the Chief Operating Of\xef\xac\x81cer directly under the Chairman. Despite\n          this reporting structure, the CIO\xe2\x80\x99s authority is not diminished because he has\n          direct access to and meets routinely with executive-level decision makers. For\n          example, the CIO attends all of the FDIC Chairman\xe2\x80\x99s senior staff meetings and\n          has the opportunity to in\xef\xac\x82uence the chairman on agency-wide IT initiatives. In\n          addition, the Chairman provides input to the CIO\xe2\x80\x99s performance appraisal and\n          how CIO activities will be measured to gauge performance. As such, the CIO is\n          considered a member of the senior executive team, actively participating in and\n          helping to guide all IT investment decision-making.\n\n          The FDIC CIO\xe2\x80\x99s of\xef\xac\x81ce is centrally organized, with three deputy CIOs heading an\n          IT division of approximately 400 federal employees and up to 540 contractors.\n          Collectively, they provide all IT support to the agency\xe2\x80\x99s approximately 5,300\n          employees, from IT planning to systems acquisition to help desk support for\n          headquarters, including national infrastructure support. To manage the IT\n          organization, the CIO of\xef\xac\x81ce holds regular brie\xef\xac\x81ngs with agency division directors\n          to review program status and monitor progress. In addition, the CIO recently\n          established and chairs an internal agency CIO Council that includes senior level\n          business of\xef\xac\x81ce executives, and serves as an advisory body to the CIO. The CIO\n          Council meetings establish the agency IT plan and strategies, and ensure that\n          business entities support IT decisions and that, in turn, IT is applied effectively to\n          meet business needs.\n\n          The CIO also uses the CIO Council meetings to discuss and de\xef\xac\x81ne IT planning\n          strategies. Key outputs from the council consist of the IT strategic plan, which\n          outlines IT goals and strategies as they align with the agency business goals\n\n\n\nImprovements Needed to DHS\xe2\x80\x99 Information Technology Management Structure                 Page 23\n\x0c          and mission. With the help of the CIO Council, the CIO is currently creating a\n          strategic road map to ensure that all systems \xef\xac\x81t into the common infrastructure.\n          The agency is updating its system development life cycle methodology, which\n          will form part of a more consistent project management approach. Further, the\n          CIO is responsible for developing all IT policies and procedures, using the CIO\n          Council as a mechanism to solicit opinions and gain agency buy-in on these\n          documents.\n\n          The CIO has oversight over all IT investment initiatives and has put in place\n          reporting mechanisms for ensuring the effective application of technology to help\n          carry out the agency\xe2\x80\x99s business mission. The CIO and Chief Financial Of\xef\xac\x81cer\n          co-chair the corporation\xe2\x80\x99s capital review investment committee, which considers,\n          approves and monitors all major agency capital projects. The committee reviews\n          business cases and budgets for each IT initiative. For example, when funding\n          or contracts are needed for a project, the request must be taken to the committee\n          for approval. The capital investment review committee reports quarterly to the\n          FDIC board of directors on how IT initiatives are performing, thus ensuring that\n          milestones are met.\n\n                 VA CIO\n\n          At VA, the CIO reports to the Secretary\xe2\x88\x92a position which affords the of\xef\xac\x81cer the\n          opportunity to provide IT technical and investment management advice at the\n          most senior level within the department. The CIO is a member of the senior\n          management team and a number of different boards and committees within the\n          department as well, giving him the opportunity to build relationships and discuss\n          IT initiatives with peers and line managers from three large VA components: the\n          Veterans Bene\xef\xac\x81t Administration, the Veterans Health Administration, and the\n          National Cemetery Administration.\n\n          Previously, VA was a decentralized organization, but has since moved to a\n          more IT centralized management structure that includes clear accountability\n          and performance monitoring. Speci\xef\xac\x81cally, IT professionals in the \xef\xac\x81eld report\n          to both the of\xef\xac\x81ce of the CIO and their respective facility directors, making\n          them accountable to both IT and the business for their work. While the CIO\n          of\xef\xac\x81ce develops the IT employees\xe2\x80\x99 performance appraisals, the facility directors\n          provide input to these appraisals. Service level agreements and memoranda\n          of understanding govern these reporting relationships. The new structure gives\n          the CIO the authority and resources needed to manage IT systems and support\n          operations at all hospitals and facilities across the VA.\n\n\n\nPage 24        Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0c          The CIO is supported by three deputy CIOs, four division directors, and 7,000\n          technical specialists to assist in carrying out department-wide IT responsibilities.\n          The CIO\xe2\x80\x99s IT budget is $1.5 billion per year, excluding another $1.5 billion\n          allotted for research and development. CIO responsibilities include IT strategic\n          planning, budgeting, investment management, policy and standard setting,\n          network security, telecommunications management, and enterprise architecture\n          development for the entire department. The CIO of\xef\xac\x81ce spent 100 days\n          deliberating with a working group of representatives from across the department\n          to reach common ground and produce the \xef\xac\x81rst version of the architecture; they are\n          currently developing the third version of the document.\n\n          The CIO heads an IT investment board which brings together senior managers\n          from across the department to discuss IT initiatives and make investment\n          decisions. IT investment decisions are subsequently submitted to a senior\n          management council for review, and then on to the Deputy Secretary. The Deputy\n          Secretary makes the \xef\xac\x81nal investment recommendations to the Secretary who is\n          the ultimate decision-making authority. When investment decisions are time-\n          critical, the VA CIO, as a member of the senior management team, has the option\n          to go directly to the Secretary. The CIO said that this investment process is highly\n          effective, as evidenced by the fact that for FY 2005, for the \xef\xac\x81rst time, the Of\xef\xac\x81ce\n          of Management and Budget approved all of the department\xe2\x80\x99s business cases for IT\n          investments upon initial submission.\n\n          DHS Plans for IT Management Centralization\n\n          Currently, there are plans under consideration in DHS that, if implemented,\n          could signi\xef\xac\x81cantly affect IT and address many of the concerns raised in this\n          report. Speci\xef\xac\x81cally, on September 12, 2003, the Secretary issued a memorandum\n          to DHS senior leadership announcing his intention to consolidate and integrate\n          DHS-wide support functions, including the Of\xef\xac\x81ce of General Counsel, Human\n          Capital Services, Administrative Services, Procurement Services, Budget and\n          Finance Services, and Information Technology. To comply with the Secretary\xe2\x80\x99s\n          memorandum, the Under Secretary for Management drafted a decision\n          memorandum outlining possible solutions to consolidating all directorates\n          under her purview. As part of the decision memorandum, the Under Secretary\n          solicited information from each senior manager regarding ways to centralize their\n          respective of\xef\xac\x81ces.\n\n          Together, the DHS CIO and the CIO Council have determined that centralization\n          is necessary for the effective delivery of infrastructure and IT services. In\n\n\n\nImprovements Needed to DHS\xe2\x80\x99 Information Technology Management Structure               Page 25\n\x0c          response to the Under Secretary\xe2\x80\x99s request for information, the CIO outlined a draft\n          transition strategy, endorsed by the CIO Council, that serves as an attachment to\n          the decision memorandum, discussing a service delivery model for all IT services\n          customized to meet the mission needs of the DHS legacy agencies. The draft plan\n          includes a timeline for all centralization functions to be completed within 100\n          days of initial implementation.\n\n          Under the transition plan, the DHS CIO would manage the IT infrastructure (i.e.,\n          local and wide area networks, telecommunications, applications server hosting,\n          and collaboration services) and operations (help desk, network operations center,\n          data centers, and continuity of operations). All support services personnel would\n          be transferred to report directly to the DHS CIO. A CIO within Management\n          would be responsible for enterprise applications related to human resources,\n          \xef\xac\x81nancial, and administrative functions. Component CIOs would continue to\n          manage mission applications and provide IT services and support for their\n          respective component operations, with additional oversight by the DHS CIO\n          to ensure that departmental IT goals and objectives are met. Mission support\n          personnel would have a dual reporting relationship to both the DHS CIO and the\n          mission leadership.\n\n          Furthermore, the Chief Information Security Of\xef\xac\x81cer would manage IT security\n          policy and operations for the DHS CIO. Individuals and contracts responsible\n          for supporting delivery of the IT infrastructure and security services would\n          be reassigned to the respective DHS CIO of\xef\xac\x81ce infrastructure and security\n          organizations. In addition, the of\xef\xac\x81ce of the CIO would have the authority to\n          appoint business representatives to each component to ensure that mission\n          requirements are well served by the new service delivery model.\n\n          The CIO Council plays a major part in the draft transition plan as well. The CIO\n          Council\xe2\x88\x92guided by the DHS enterprise architecture, the IRB, and federal laws\n          such as the Clinger-Cohen Act and FISMA\xe2\x88\x92would provide the decision authority\n          for policy issues affecting the IT function. As chair of the CIO Council, the DHS\n          CIO would have the \xef\xac\x81nal authority and responsibility for meeting IT missions\n          and objectives. The CIO Council would have the authority to create IT centers of\n          excellence, comprised of IT specialists from the various directorates. The of\xef\xac\x81ce\n          of the CIO would manage the centers as a means of delivering DHS-wide IT\n          capabilities and resources.\n\n          The tasks outlined above will take some time to plan and accomplish. However,\n          once in place, all IT resources and assets would be under the control of the DHS\n\n\n\nPage 26        Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0c                 CIO. Although there are many obstacles to overcome, the plan is expected\n                 to result in signi\xef\xac\x81cant cost savings and greater consistency and ef\xef\xac\x81ciency\n                 by eliminating wasteful duplication, streamlining operation, and increasing\n                 accountability. In addition, the consolidations would help eliminate existing\n                 organizational stovepipes and help build a department culture that is vital to the\n                 long-term success of the agency.\n\nRecommendations\n                 The OIG recommends that, in keeping with legislative requirements and effective\n                 practices of other federal IT organizations, the Deputy Secretary:\n\n                      1.   Implement plans for centralizing IT support services.\n\n                      2.   Reposition the CIO to report directly to the Of\xef\xac\x81ce of the Deputy\n                           Secretary, thereby providing the CIO with the authority and the ability\n                           to in\xef\xac\x82uence senior executive decisions concerning department-wide IT\n                           investments and strategies.\n\n                      3.   Document and communicate the roles of component level CIOs,\n                           including their dual reporting relationships to the DHS CIO and heads\n                           of their respective DHS organizations, thereby ensuring their support\n                           for and alignment with central policies, standards, and strategies for\n                           consolidating and integrating the department\xe2\x80\x99s IT infrastructure as well as\n                           mission and business objectives.\n\n                      4.   Provide the DHS CIO of\xef\xac\x81ce with the staff resources necessary to\n                           facilitate accomplishment of department-wide IT consolidation objectives\n                           and supporting initiatives, including IT planning; policy and standards\n                           formation; enterprise architecture development; network management;\n                           information assurance; and, technical, business and administrative\n                           support.\n\n                      5.   Assign the CIO a key role in all levels of the department\xe2\x80\x99s investment\n                           review process to ensure, guide, and document timely and effective IT\n                           investment decisions to support accomplishment of department-wide\n                           business objectives.\n\n\n\n\n       Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure                Page 27\n\x0cManagement Comments and OIG Evaluation\n             We obtained written comments on a draft of this report from the Deputy Secretary.\n             We have incorporated the comments where appropriate and included a copy of the\n             comments in their entirety at Appendix B.\n\n             The Deputy Secretary concurred with Recommendations 1 and 3. Speci\xef\xac\x81cally,\n             with regard to Recommendation 1, the Deputy Secretary said that the department\n             would review further the Secretary\xe2\x80\x99s September 12, 2003, memorandum re\xef\xac\x82ecting\n             the intent to consolidate and integrate DHS-wide support functions, including the\n             DHS CIO/CIO council plan for centralization. In response to Recommendation\n             3, the Deputy Secretary plans to establish formal reporting relationships between\n             the DHS CIO and the CIOs of the major component organizations. The Deputy\n             Secretary said that all departmental component CIOs will support the DHS CIO in\n             all IT matters without exception, in addition to reporting to their respective agency\n             heads. The formalized relationships and descriptions of duties will be published\n             in the department\xe2\x80\x99s organization manual; interim guidance will be provided\n             as needed. The OIG views these plans as positive steps toward improving\n             enterprise-wide IT management and looks forward to their implementation.\n\n             The Deputy Secretary neither concurred nor disagreed with Recommendation 4\n             with regard to supplying the DHS CIO Of\xef\xac\x81ce with needed staff resources. The\n             Deputy Secretary said that the department is constantly striving to provide optimal\n             resources throughout all DHS components and will look for further opportunities\n             to re-program critical resources and personnel during the centralization process.\n             The OIG appreciates the Deputy Secretary\xe2\x80\x99s intentions to optimize resources\n             across DHS components. However, the OIG encourages more immediate\n             attention to supplying the CIO of\xef\xac\x81ce with the staff it needs to carry out its\n             department-wide responsibilities. The CIO has the enormous task of creating one\n             network and one infrastructure to ensure IT connectivity among the department\xe2\x80\x99s\n             22 legacy organizations. The OIG is concerned that the small CIO of\xef\xac\x81ce staff of\n             49 is woefully inadequate to meet the many challenges of providing IT services,\n             technology systems, facilities, and initiatives to support an organization of\n             180,000 employees. Without the proper staf\xef\xac\x81ng, the Of\xef\xac\x81ce of the CIO has been\n             hindered in putting in place the plans, guidance, and standards needed for critical\n             functions such as information security and wireless communications.\n\n             For example, based on its annual evaluation of DHS efforts to meet FISMA\n             requirements, the OIG reported in September 2003 that none of the components\n             had a fully functioning IT security program, only 37 percent of DHS systems had\n\n\nPage 28           Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0c                            been certi\xef\xac\x81ed and accredited, and only 39 percent had been assessed for risk.11\n                            Further, in June 2004, the OIG reported that DHS had an incomplete wireless\n                            security policy and inadequate procedures to implement a DHS Wireless Security\n                            Program.12\n\n                            Similarly, the Deputy Secretary neither concurred nor disagreed with\n                            Recommendation 5 that the DHS CIO play a greater role in investment decision-\n                            making. The Deputy Secretary countered that the CIO is already an integral\n                            member at all levels of the IT investment review process. The OIG does not\n                            agree. Although the CIO may be a participant at each of the department\xe2\x80\x99s four\n                            investment review levels, the CIO does not have the power and authority required\n                            by the Clinger-Cohen Act to control all IT investments department-wide. For\n                            example, the CIO does not have the \xef\xac\x81nal authority regarding major, mission\n                            critical IT investments at Level 1 within the department. In one instance, the\n                            former Deputy Secretary overrode the CIO\xe2\x80\x99s recommendation to discontinue\n                            development of a costly, duplicative IT system. Further, the OIG identi\xef\xac\x81ed\n                            instances where DHS components have developed IT systems without CIO\n                            guidance or authorization, creating further duplication and an inef\xef\xac\x81cient use of IT\n                            resources.\n\n                            In commenting on Recommendation 5, the Deputy Secretary also recommended\n                            adding the CIO as a member of the Level 2 Joint Requirements Council\n                            responsible for non-IT issues, thereby providing an element of crosscutting\n                            and situational awareness. The OIG views this planned action as a good start\n                            toward enhancing the CIO\xe2\x80\x99s involvement in the department\xe2\x80\x99s investment review\n                            process and awaits noti\xef\xac\x81cation of its implementation. However, the OIG believes\n                            that more needs to be done to assign the CIO a key role at all levels of the\n                            department\xe2\x80\x99s investment review process.\n\n                            Finally, the Deputy Secretary did not concur with Recommendation 2 to\n                            reposition the CIO to report directly to the Of\xef\xac\x81ce of the Deputy Secretary. The\n                            Deputy Secretary said that the current arrangement in which the CIO reports\n                            directly to the Under Secretary for Management does not hinder or preclude\n                            the CIO from performing all essential job-related requirements. The Deputy\n                            Secretary said that the priorities of the Secretary, Deputy Secretary, and DHS are\n                            known throughout the chain of command and the responsible individuals have the\n                            inherent authority to accomplish these tasks.\n\n11\n OIG-IT-03-02.\n12\n  Inadequate Security Controls Increase Risks to DHS Wireless Networks, Of\xef\xac\x81ce of Inspector General, Department of Homeland Security,\nOIG-04-27, June 2004.\n\n\n                Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure                                     Page 29\n\x0c          The OIG does not agree with the Deputy Secretary\xe2\x80\x99s response. Federal guidelines\n          require that each executive agency position a CIO as a member of the senior\n          executive team with the accountability and responsibility to manage IT across\n          organizational units. By reporting to the Under Secretary for Management rather\n          than to the Secretary, the DHS CIO is not a peer with the DHS Under Secretaries\n          and component directors, and, as such, lacks the power and in\xef\xac\x82uence to advise\n          senior executives on how best to implement and manage IT across the department.\n          Also, as the Deputy Secretary acknowledged in the response to Recommendation\n          3, the CIO\xe2\x80\x99s relationships and duties are not clear and need to be formalized and\n          published department-wide. Recognizing these limitations, notably the House\n          Appropriations Committee proposed, in the department\xe2\x80\x99s FY 2005 appropriations\n          bill, to modify the Homeland Security Act to require that the CIO directly report\n          to the Secretary of Homeland Security instead of to the Under Secretary for\n          Management. Without an additional organizational layer to which the CIO must\n          report, the Committee expects DHS IT decisions to be made more expeditiously.\n\n\n\n\nPage 30        Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0c                                                              Appendix A\n                                                              Purpose, Scope, and Methodology\n\n\n\n          As part of its ongoing responsibility to assess the ef\xef\xac\x81ciency and effectiveness of\n          departmental programs and operations, the OIG conducted a review of DHS\xe2\x80\x99 IT\n          management structure. The objectives of the review were to determine whether\n          the CIO is appropriately positioned and has a sound structure for managing\n          department-wide IT systems and programs; and to evaluate how effectively the\n          CIO is planning and managing IT investments to meet the department\xe2\x80\x99s current\n          and future technology needs.\n\n          To review the effectiveness of DHS\xe2\x80\x99 IT management structure, the OIG\n          researched and summarized IT laws and federal guidance applicable to CIO\n          organizations and IT infrastructure management. The OIG also researched and\n          reviewed background literature and prior Government Accountability Of\xef\xac\x81ce\n          reports on ensuring effective IT organizations.\n\n          The OIG then addressed its speci\xef\xac\x81c review objectives. First, the OIG met with\n          the DHS CIO and his executive staff to discuss his role, organization, operations,\n          and position within the department. The Chief of Staff told the OIG about\n          the CIO\xe2\x80\x99s reporting relationships with the Under Secretary for Management\n          and other members of the senior executive team. The OIG met with the chief\n          procurement of\xef\xac\x81cer, the chief human resources of\xef\xac\x81cer, and a chief \xef\xac\x81nancial\n          of\xef\xac\x81cer representative to discuss working relationships between the CIO and his\n          peers within the Management Directorate.\n\n          CIOs of each of the DHS component organizations told the OIG about their\n          individual IT management environments, CIO reporting relationships, experiences\n          as part of the CIO Council, and coordination with line of business systems\n          owners. The OIG also met with former component-level CIOs to discuss their\n          experiences in managing IT at DHS, concerns about attrition, and transitions to\n          incoming CIO leadership. Budget of\xef\xac\x81cers and other managers within the Of\xef\xac\x81ce\n          of the CIO discussed IT budgeting, acquisition processes, IT and architectural\n          planning, performance measurement, and policy and standard setting. Based on\n          these interviews, the OIG performed an analysis of whether the CIO effectively\n          communicates enterprise-wide IT strategies, goals, and objectives to senior\n          managers, peers, IT of\xef\xac\x81cials, line managers, and subordinates. In addition,\n          the OIG met with three federal agencies to conduct a best practices study and\n          compare the DHS IT organization to the CIOs at these agencies.\n\n          To address the second objective of assessing the effectiveness of the department\xe2\x80\x99s\n          IT investment management, the OIG reviewed directives and other available\n          documentation that outlined these processes. The OIG met with budget of\xef\xac\x81cials\n\n\n\nImprovements Needed to DHS\xe2\x80\x99 Information Technology Management Structure                Page 31\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n\n                    and chief \xef\xac\x81nancial of\xef\xac\x81cer representatives to gain a broader understanding of how\n                    these processes work within the department. CIOs, IT of\xef\xac\x81cials, and program\n                    of\xef\xac\x81cials within the individual component organizations told the OIG about\n                    speci\xef\xac\x81c IT investments and how they were controlled within the department.\n                    Of\xef\xac\x81cials within the of\xef\xac\x81ce of the CIO and the budget of\xef\xac\x81ce also provided an\n                    overview of the department\xe2\x80\x99s investment review processes and gave the OIG\n                    copies of the department\xe2\x80\x99s budget documents for FY 2005. These of\xef\xac\x81cials told\n                    the OIG about the various managers and forums involved in IT investment review\n                    and decision-making. Representatives of the various working groups, boards,\n                    and committees provided details on how these forums function. Lastly, the OIG\n                    examined business cases for selected IT projects to assess coordination and\n                    communication between IT managers and business owners.\n\n                    The OIG conducted this review from October 2003 to May 2004 at various\n                    DHS headquarters and component organizations, and other federal agencies in\n                    the Washington, D.C metro area. The OIG limited its review to unclassi\xef\xac\x81ed\n                    systems and processes and did not focus on sensitive systems or information. The\n                    OIG performed its work according to generally accepted government auditing\n                    standards.\n\n                    The prinicipal OIG points of contact for the audit are Frank Deffer, Assistant\n                    Inspector General for Information Technology Audits, (202) 254-4100; and\n                    Sondra McCauley, Director, Information Management, (202) 254-4212. Major\n                    OIG contributors to the audit are identi\xef\xac\x81ed in Appendix C.\n\n\n\n\nPage 32                  Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0c                                                                      Appendix B\n                                                                      Management\xe2\x80\x99s Comments\n\n\n\n\nImprovements Needed to DHS\xe2\x80\x99 Information Technology Management Structure               Page 33\n\x0cAppendix B\nManagement\xe2\x80\x99s Comments\n\n\n\n\nPage 34                 Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0c                                                                      Appendix B\n                                                                      Management\xe2\x80\x99s Comments\n\n\n\n\nImprovements Needed to DHS\xe2\x80\x99 Information Technology Management Structure               Page 35\n\x0cAppendix C\nMajor Contributors to This Report\n\n\n\n                     Frank Deffer, Assistant Inspector General, Information Technology Audits;\n                     Sondra McCauley, Director, Information Management Division;\n                     Ann Brooks, IT Audit Manager;\n                     Timothy Walton, IT Auditor; and\n                     Meghan Parker, IT Auditor.\n\n\n\n\nPage 36                   Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0c                                                                          Appendix D\n                                                                          Report Distribution\n\n\n\n          Department of Homeland Security\n\n          Secretary\n          Deputy Secretary\n          General Counsel\n          Under Secretary for Management\n          Chief Information Of\xef\xac\x81cer\n          DHS OIG Liaison\n          DHS Public Affairs\n\n          Of\xef\xac\x81ce of Management and Budget\n\n          Homeland Security Bureau Chief\n          DHS OIG Budget Examiner\n\n          Congress\n\n          Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nImprovements Needed to DHS\xe2\x80\x99 Information Technology Management Structure               Page 37\n\x0cPage 38   Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure\n\x0c\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Of\xef\xac\x81ce of Inspector General (OIG)\nat (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG web site at\nwww.dhs.gov/oig.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to department programs or operations, call the OIG\nHotline at 1-800-323-8603; write to Department of Homeland Security, Washington, DC\n20528, Attn: Of\xef\xac\x81ce of Inspector General, Investigations Division \xe2\x80\x93 Hotline. The OIG\nseeks to protect the identity of each writer and caller.\n\x0c'